Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

67450bf4ba...9b.exe

windows7-x64

10

67450bf4ba...9b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    0s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 10:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67450bf4bafa5415d22cf2608e9b729b.exe

  • Size

    512KB

  • MD5

    67450bf4bafa5415d22cf2608e9b729b

  • SHA1

    84084805d8edd3694e67f3f0a66e37728a8a3b60

  • SHA256

    896e6429bf188ede54e16b81c76631871a427c3d17dd4d82185f641015ba5bc0

  • SHA512

    45680a55166e8ac63a7456d3814192e10315ac0121c042267e1abbc001033285c9390d920df2e2493e0d45df52116e3d68d1fd56dba570351df6aa8d581329c3

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj61:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5A

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67450bf4bafa5415d22cf2608e9b729b.exe
    "C:\Users\Admin\AppData\Local\Temp\67450bf4bafa5415d22cf2608e9b729b.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
        PID:2508
      • C:\Windows\SysWOW64\nrdghrosgflud.exe
        nrdghrosgflud.exe
        2⤵
        • Executes dropped EXE
        PID:1272
      • C:\Windows\SysWOW64\dqoctxzd.exe
        dqoctxzd.exe
        2⤵
        • Executes dropped EXE
        PID:2324
      • C:\Windows\SysWOW64\ajogbggpmbppujx.exe
        ajogbggpmbppujx.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4976
      • C:\Windows\SysWOW64\poazvjnghj.exe
        poazvjnghj.exe
        2⤵
        • Executes dropped EXE
        PID:2472
    • C:\Windows\SysWOW64\dqoctxzd.exe
      C:\Windows\system32\dqoctxzd.exe
      1⤵
        PID:1764

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
        Filesize

        512KB

        MD5

        42ceb30ba3d2f2696fe902002e38dbf4

        SHA1

        1937a1570bac8294aa4ab68d012ab922899fced9

        SHA256

        95c70b6b8465477b809c9577923b7de685343cf95611abf7eaca082d2eb32f4b

        SHA512

        36301d338568624eb7c26b61ebaf7ff26bd9aa5c541de43187a1671d0a206de0f88fa4374766ba3546e0624a376ed6b7d70bb75970f4b84aedd7b6087be09987

        Download Submit

      • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
        Filesize

        512KB

        MD5

        afe35d19b47e4541fbc354e5791dd4be

        SHA1

        faa25d0eb103cc354a1269009e8212a641dc575d

        SHA256

        8e0260e1d5d09e57aaf804784850439e599e019c2fa2406a7b772e54f1ab286a

        SHA512

        6bc77c1c45c965d0306b84c30abdd99df3aefd3bf7ebbccdea34f1c7ba9b023e5e812f9f1f3781bded3c247b25858003f0c3bffcabcaa0d4042d2e8419d0339f

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
        Filesize

        239B

        MD5

        12b138a5a40ffb88d1850866bf2959cd

        SHA1

        57001ba2de61329118440de3e9f8a81074cb28a2

        SHA256

        9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

        SHA512

        9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
        Filesize

        3KB

        MD5

        204bcbd3cc247e6eecdf90d000d716e5

        SHA1

        befeb86696dcdcf2ae2e6b20b564f296de5109b7

        SHA256

        b8fce0b94520bfc06fd715fdc1f59ed499263a55cf55ad5d57d671ea8a20ebf1

        SHA512

        f20d03ccdb08e31d3a1db762fc3bf8d5af9b44e2aed11b5005e680bfc8cc709f4bfb8ee69f3f88ba701435d1b52e6b2297899606937c2af673938ce5a58c0e29

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
        Filesize

        3KB

        MD5

        aa2a81f865c818c16a1ad572759e9f21

        SHA1

        ff9e64dee9b8cabbecd96d69dde619015fed1792

        SHA256

        c86d906398649d65430fdd08f543da91f6b808c1ee2c773d6f9d91e46d4ae509

        SHA512

        c314c8e442088a2b6ed56bea882b7291d4dc1ee9539a5263b67d1533251a0b2bf781c8de76b93b63836353a32f52074fe056aec1790dcd5fda2ff818a993b12f

        Download Submit

      • C:\Windows\SysWOW64\ajogbggpmbppujx.exe
        Filesize

        512KB

        MD5

        efd5a5bb856ccc689079b6ed380151da

        SHA1

        00d598707522045f8f4f2f54ee8a942dcc7e06ac

        SHA256

        17aeaeccdd6cd8ac13f3a904d6fbe30f6527ad58a168e50888b2e87cbba2d60e

        SHA512

        6a4831ca053a6f749612eec1d0fce13c22272f8ab5c19e8deb0bf300fb82b861ed4e56b89481f5e681be1b5ebdfb87ad3f1ef76c2c203d09a5a0664a02bc030a

        Download Submit

      • C:\Windows\SysWOW64\dqoctxzd.exe
        Filesize

        512KB

        MD5

        8e098b392563e3e63d84a3bec0529d99

        SHA1

        b808c1aa69a92f8c491b07b727db2b4fa2edd3ba

        SHA256

        108075ce1035eb64e6421096790901fc357d18941705ba5d6928e6a57a129c0b

        SHA512

        4d334f6a42f06fd414329b1bf80e48200f64bb33f7a3dbf2b07643c34587623fc5530cbf6007a9884fdfeffc7b79060c12550b6e1cd5969fb2de8eaea5674f3d

        Download Submit

      • C:\Windows\SysWOW64\nrdghrosgflud.exe
        Filesize

        512KB

        MD5

        7a614b32a538fbdbd447f586117eb835

        SHA1

        0ac5e91a19389eecaf0ce5620fcbea3245010f8d

        SHA256

        735ef42500874d532486e0f70c2997bc50a159cbb57c86f49dd7b6b9820d4975

        SHA512

        b7993769c011dae8d7938afed46ac6e25ea60cac136fad3ed1a0976447d4f51463cc98323df1c315a529de52cd224d49f3316f690ec46e44ae71d3c906b42f5d

        Download Submit

      • C:\Windows\SysWOW64\poazvjnghj.exe
        Filesize

        512KB

        MD5

        3335309eefac325ed63cfad13a711744

        SHA1

        0a01b1e03d8a7d85a51fa6c6528c1d5a659174f1

        SHA256

        46c1274f6cc9e2900d799e0aecc764aaa5808e796e7ab24ead52506ae03f6f7f

        SHA512

        06ed2b57a2b6e7ae6859259279f008df3d46984f839d2db176d54a86b51ea487c3175d99f45a7cf916bbf4d28313eb61ef4e3b23234bfeb3f8f9a5d809c31f4e

        Download Submit

      • C:\Windows\mydoc.rtf
        Filesize

        223B

        MD5

        06604e5941c126e2e7be02c5cd9f62ec

        SHA1

        4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

        SHA256

        85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

        SHA512

        803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

        Download Submit

      • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
        Filesize

        512KB

        MD5

        724b1ba8971c1dacc3d37ad90c4ebc81

        SHA1

        9578b4ba960872afda623de55c369f8ae0463c2c

        SHA256

        1c047be55cf5d1ee37fb88933e10a58f711b3250c0b28e13e44881a201492ebd

        SHA512

        7f66b147f715bc9d203c1b2ccede6a2e06910f7d202f7dc00b1615279376564861dc9e9f2bb3110075286f401aac75c5f8510e7ba67e741aed658052553777e5

        Download Submit

      • memory/1060-0-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2508-43-0x00007FFC35950000-0x00007FFC35B45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2508-52-0x00007FFC35950000-0x00007FFC35B45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2508-53-0x00007FFC35950000-0x00007FFC35B45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2508-50-0x00007FFBF3810000-0x00007FFBF3820000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2508-49-0x00007FFC35950000-0x00007FFC35B45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2508-45-0x00007FFC35950000-0x00007FFC35B45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2508-55-0x00007FFBF3810000-0x00007FFBF3820000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2508-42-0x00007FFC35950000-0x00007FFC35B45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2508-41-0x00007FFBF59D0000-0x00007FFBF59E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2508-38-0x00007FFBF59D0000-0x00007FFBF59E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2508-37-0x00007FFC35950000-0x00007FFC35B45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2508-36-0x00007FFBF59D0000-0x00007FFBF59E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2508-51-0x00007FFC35950000-0x00007FFC35B45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2508-54-0x00007FFC35950000-0x00007FFC35B45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2508-48-0x00007FFC35950000-0x00007FFC35B45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2508-44-0x00007FFC35950000-0x00007FFC35B45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2508-40-0x00007FFBF59D0000-0x00007FFBF59E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2508-39-0x00007FFC35950000-0x00007FFC35B45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2508-35-0x00007FFBF59D0000-0x00007FFBF59E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2508-118-0x00007FFC35950000-0x00007FFC35B45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2508-144-0x00007FFC35950000-0x00007FFC35B45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2508-143-0x00007FFBF59D0000-0x00007FFBF59E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2508-142-0x00007FFBF59D0000-0x00007FFBF59E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2508-141-0x00007FFBF59D0000-0x00007FFBF59E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2508-140-0x00007FFBF59D0000-0x00007FFBF59E0000-memory.dmp

        Filesize

        64KB

        Download